Petya Ransomware skips the Files and Encrypts your Hard Drive Instead

Typically, when a user becomes infected by a crypto-ransomware, the infection targets and encrypts the files on the victim's hard drives. This leaves the operating system working properly, but with the user unable to open the encrypted documents. The Petya Ransomware takes it to the next level by encrypting portions of the hard drive itself that make it so you are unable to access anything on the drive, including Windows. At the time of this writing, the ransom payments are at ~.9 bitcoins and there is no way to decrypt your drive for free.

This ransomware is currently being distributed via emails that are targeting the human resources departments of German companies. These emails contain dropbox links to supposed applications that download a file that when executed will install the Petya Ransomware on the computer. An example filename for the installer is Bewerbungsmappe-gepackt.exe.

It is important to note that there is a lot of bad information on the web about how how to fix your computer when it has been encrypted by Petya. Many of these sites state that you can use the FixMBR command or repair your MBR to remove the infection. Though this will indeed remove the lock screen, it will not decrypt your MFT and thus your files and Windows will still be inaccessible. Only repair the MBR if you do not care about any lost data and want to reinstall Windows.

Back in January, there was another short-lived ransomware that was performing the same behavior, but was not as advanced. At that time, though, a sample was not able to be retrieved. It is unsure if Petya is a redesigned version of the previous one shown below.

Older Boot Encryptor

The Petya Ransomware Encryption Process

When first installed, the Petya Ransomware will replace the boot drive's existing Master Boot Record, or MBR, with a malicious loader. The MBR is information placed at the very beginning on a hard drive that tells the computer how it should boot the operating system. It will then cause Windows to reboot in order to execute the new malicious ransomware loader, which will display a screen pretending to be CHKDSK. During this fake CHKDSK stage, Petya will encrypt the Master File Table on the drive. Once the MFT is corrupted, or encrypted in this case, the computer does not know where files are located, or if they even exist, and thus they are not accessible.

Fake CHKDSK

Once the fake CHKDSK is completed, you will be presented with a lock screen that displays instructions on connecting to a TOR site and a unique ID you must use on the site to make the ransom payment. Once a ransom payment has been made, you will receive a password that you can enter into this screen to decrypt your computer.

Lock Screen

How the Petya Ransomware encrypts your drive is illustrated in the video below.

Getting your password in 5 steps on the Petya Decryption Site

When a victim visits the site they will be presented with a CAPTCHA page. Once a captcha is entered they will be shown the first page of the decryption site, which provides information on what has happened to the computer.

Petya Decryption Site

If a user clicks on the Start the decryption process they will be walked through a 5 step process where they learn how to make a payment and eventually retrieve a password. These steps are displayed below.

Decryption Process Step 1

Decryption Process Step 2

Decryption Process Step 3

Decryption Process Step 4

The fifth and final step becomes available when a ransom payment is sent to the associated address. It is assumed that the fifth step will display a page that contains the password you must enter into the lock screen on the victim's computer. Once a password is entered, the ransomware will decrypt the MFT and restore the original MBR. This will then allow you to boot back into Windows and access your files again.

As already stated, there is currently no way to decrypt your drive for free at this time. Researchers are analyzing this ransomware, though, so it may be possible in the future.

Lawrence Abrams is the creator and owner of BleepingComputer.com. Lawrence's area of expertise includes malware removal and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies.

Comments

If you were to use data recovery software that ignores the MFT and looks through the disk would that still work to retrieve the files? I've had success in the past with drives with a corrupt MFT getting files off using this type of software. IIRC I used "Spinright" or something like that.

Unfortunately, that is outside my level of knowledge when it comes to repairing an MFT. If its possible to recreate an MFT based on other data on the drive, then I see no reason why this would be a problem. Not sure if this is possible though.

If the ransomware encrypts only the MFT, then the majority of the files would be recoverable even by simple file recovery tools - if a file is contiguous on the disk then all you have to do is read the disk block by block and check for matches against known magic bytes (and then figure out where the end of the file is - usually not too difficult). Fragmented files would be a lot trickier, I'd have to go back and do some reading about NTFS to find out if it was at all possible. I think it highly unlikely that you could return the OS to a working state, but you should be able to get most user data back without paying.

In my experience, such programs are fairly good. Never tried to recover an entire drive of data from them though. In any case, filenames will be lost and guesswork may be required to determine the file type.

Some BIOS/EFI/UEFI do have an option to prevent the MBR or GPT from being changed. This can pose a problem when installing or upgrading an OS, so you go into the BIOS to disable it, and then install it, but for the most part, it doesn't cause any other problems.

I found this article hxxp:// nabzsoftware.com/types-of-threats/petya-ransomware and the solution they offer is simple as hell. If you dont want to go there, i copied the first thing you should do in order to boot into windows. " the infected person needs to power down their machine, turn it back on and repeatedly hit the F2, ESC or DEL key to enter BIOS configuration. Then, the victim should proceed to the Boot tab, select the correct boot device, save the changes and exit the interface. The OS should now launch like it usually does." Is that possible?

Those were my exact thoughts. Plus its software I consider junkware anyways. Another guide that pretends like it has the solution to decrypt your data, only to say "restore from backups"... Amazing how quick these cookie-cutter articles appear before I even see the legit info posted on the ransomwares this week.

Hang on a second... if it ONLY encrypts the file table, then the files themselves are NOT encrypted and can be easily recovered with a "undelete" tool, no? This ransomware's strength may also be its weakness...
Do we have a VM malware sample to test this method on? Filenames may be lost but that's a small price to pay.
EDIT: Just realize I restated what @Wolfnet said. I really need to get to sleep...

Since this only encrypts the MFT, not the files, one could use PhotoRec to recover the files, as PhotoRec bypasses the file system layer and finds files by comparing bytes to a database of file signatures instead (although the original file structure can't be recovered because they're in the encrypted MFT)

The problem is that, like previously mentioned recovery software, one would have to look through each file to determine what it was. You can compare hashes for programs and system files, but personal info would take forever to sift through.

But what if you just take your hd out and put it in an enclosure and access it from another computer? Are the files themselves encrypted? Or just the MBR? Could you just copy your files off the HD as an external and just re-image the drive?

I currently have MWB Anti-Exploit and MWB AntiRansomware (beta) installed and running on my notebook courtesy of the free downloads available on B.C. (which I am very thankful to B.C. for, of course!). My question is, how effective are these suites likely to be against this 'new' (and other) types of Ransom/Cryptoware?
Also, one more question....I am purely a recreational pc user who only has music files stores on my pc which are all backed up to disc. If this 'new' harddisc-attacking Rware gets on my pc, will I simply be able to reset my pc back to factory settings at the expense of having to re-install everything including Windows10, or would my entire device be rendered completely useless?

"Sounds kinda stupid to me, how can you pay them (if you wanted to) if your computer won't boot? Some people only have 1 computer."

I'm no expert, but it seems like this is targeted more towards big corporations where the criminals know there will be multiple amounts of computer terminals on site and where the data is likely to be more precious and important. If private users like myself get infected, I don't really think they care if we pay or not - and whether or not we are able to is of no concern to them! Having read lately about Rware showing up at hospitals, it really makes me shudder that lives are being put at risk if data regarding things like patients' blood types. medication records, allergies, medical history etc etc etc is being encrypted in this manner. These cyber criminals are quite literally using sick patients as pawns to get their ransom money! When and if they ever get caught, it should be treated as attempted murder - or worse!

""Sounds kinda stupid to me, how can you pay them (if you wanted to) if your computer won't boot? Some people only have 1 computer."

I'm no expert, but it seems like this is targeted more towards big corporations where the criminals know there will be multiple amounts of computer terminals on site and where the data is likely to be more precious and important. If private users like myself get infected, I don't really think they care if we pay or not - and whether or not we are able to is of no concern to them! Having read lately about Rware showing up at hospitals, it really makes me shudder that lives are being put at risk if data regarding things like patients' blood types. medication records, allergies, medical history etc etc etc is being encrypted in this manner. These cyber criminals are quite literally using sick patients as pawns to get their ransom money! When and if they ever get caught, it should be treated as attempted murder - or worse!"

I thought the same. Some part of Windows must boot; if not all of it, to be able to access the Internet. Also as soon as I saw 'don't turn your computer off....', I would do just that and then the same for the router.

Would a good antivirus like Bitdefender or Emsisoft or an anti ransomware program like WinAntiRansom be able to block something like this without signatures? I know Bitdefender Antiransomware would catch any ransomware that encrypts your files after Windows has loaded, but because it does the encrypting before Windows loads, would a good antivirus or anti ransomware program be able to block it? Also, would something like Comodo sandbox or Sandboxie or a system change control like DeepFreeze or TimeFreeze be able to stop or revert the encryption?

This technique has been used in the past when a drive was inaccessible from a viral infection or other means. I have not tested it with a PETYA attack but may be worth a try for someone who doesn't want to pay the ransom but wants to attempt saving their files.

1. Go to http://www.knoppix.org/
2 Select English and download Knoppix ISO
3. Burn Knoppix ISO to CD
4. Boot computer from the Knoppix (Linux) CD
5. Enter "boot knoppix" at prompt
6. Now you will be presented with a Linux desktop and should be able to browse the hard drive (disk icon shown on desktop)
From here, you can attach a USB external drive and try to copy any files from the affected system. Hope this may be a workaround to salvage files from a PETYA attack. Let me know.

Since the information its is saved in the MBR I wonder by doing a hard reset removing the bios battery and the ram could help or removing the hard drive and opening on a different computer could fix the problem. Have you tried this before?

As you long as you do not start your computer with the malicious MBR installed, the encryption will not occur. So if you can power off your computer before it turns on that first time after the MBR is installed, you can take the hard drive, boot off a recovery cd, or any other bootable device and repair the mbr on the disk.

If Petya actually encrypts the MFTs, a simple unerase of basic data recovery program is not going to work. I think you would have to tell even GetDataBack to ignore the MFTs and to perform a raw, low level, recovery.
Does anyone know firsthand if it also destroys the partition structures? I'm concerned that if the recovery and system partitions are missing afterwards, it could be a real mess!

There is a program called 'testdisk' that finds files on a disk without a partitiontable and extracts them as file000000001, file000000002 ...
You then have to find out what kind of file it is and what name i had - not pratical for many files, but if you have a few very important.

In general and for over 30 years now, if you find the parent folder on a Dos/Windows hard disk drive, all of the subfolders and files are recovered with their names intact. This; however, can be seriously affected if the partition structure has been damaged especially with manufacturers dividing the drive into three or more partitions.

my pc is infisziert with petya in the input of the data that I have read from the HDD in : https : //petya-pay-no-ransom-mirror1.herokuapp.com/
starts the proceeding but after hours without success occurs an error . please help pointing unable to continue

This really should have been in the forums; but, you need to take the hard disk drive out of the PC and connect it to a working PC so you can see what is really going on. If Petya was successful, you'll need a data recovery tool to get the files back. If it was not, there will be two YOUR_FILES_ARE_ENCRYPTED files in a whole bunch of folders.

As I already said, you need to take that hard disk drive physically out of the original PC and connect it as a second drive to a working one. Then, if the PC reports the drive is raw or unformatted, PETYA was successful and none of the files themselves were encrypted. You'll need a program like GetDataBack for NTFS which will scan the drive and find your stuff. It isn't free; but, you can run the scan, check a picture or document, then activate it to copy your files to someplace else.
If PETYA failed to install, all of your folders will be visible; but, all of the files will be encrypted and your sunk.

By chance, is there any group that's looking at the Pre-Petya infection? We just got hit with that infection and trying to see if TestDisk will recover the MFT. We have working backups as well, but we also have a possible sample to send in if there's any groups looking for it.

Recently, I had a LaCie 4TB NAS which LaCie, by default, configured as a 4GB boot partition and then creates a spanned drive for the public access. In the process of the first drive failing, it corrupted the database used for spanning and GetDataBack could not find anything to recover on the second drive (It reported no MFT's found which was true, they were on the first drive). Because of that, I might suggest trying a different program; namely PhotoRec because it ignores the filesystem and, instead, finds files by their signature bytes.http://www.cgsecurity.org/wiki/PhotoRec